|ntroducing the new Google Chrome extension for SelectOut. This extension allows you to control your online tracking cookie by Opting-Out and In to the companies you choose, Opt-Out of all if you don't want to have to research them all, and even gives you the option of viewing profiles on each of the companies.

Privacy vulnerabilities

Identify users based on e.g. IP address, browser type and version, add-ons,... based on fingerprinting

Technical approaches

Privacy vulnerability detection on server side

Privacy vulnerability detection on client side

Client side patterns implying privacy vulnerability e.g.

3rd party links (typically trackers)

3rd party cookies

invisible images / web bugs

behavioral tracking patterns

Tools, Add-ons, Projects to Detect & Protect Privacy

Data privacy is not only a client-side issue, but may also be a server-side issue. For example storing data in cloud services, where the data needs to be protected somehow. So we destinguish protection and detection tools in four areas for now:

Abine TACO sets all the NAI opt-out cookies to stop advertisers from delivering content based on their attempts to profile you and your online behavior. At each website you visit TACO can show you how many and which advertising networks you've opted-out of.

ntroducing the new Google Chrome extension for SelectOut. This extension allows you to control your online tracking cookie by Opting-Out and In to the companies you choose, Opt-Out of all if you don't want to have to research them all, and even gives you the option of viewing profiles on each of the companies.

Available for Firefox, Chrome, Safari, Internet ExplorerScans the page for scripts, pixels, and other elements and notifies the user of the companies whose code is present on the page. These page elements aren't otherwise visible to the user, and often not detailed in the page source code. Ghostery allows users to learn more about these companies and their practices, and block the page elements from loading if the user chooses.

Alpha release: tracks what information is collected by the visited websites. Allows to set preferences on a site by site basis.

Note: Currently maintained by W3.org, full description expected by March 2011.

Description:

observe HTTP Requests ans Responses while loading the web page

log collected HTTP traffic in a SQLite database"dashboard.sqlite" in the browser's profile folder

access additional databases maintained by the browser and the folders containing the LSOs

cancel HTTP requests e.g. for third party content based on user's preference for a given web site

user settable site preferences, e.g. to block 3rd party cookies or content, to disable scripting,...

Detected privacy patterns e.g.

internal third party content

external third party content

invisible images (based on the image dimension / hidden by CSS)

User Interface

adds smiley icon to the browser's navigation toolbar to reflect a measure of the privacy friendliness of the current web page

click on the face to view privacy details

Proxies

A proxy can either be one on a intermediate server such as a company gateway, or a proxy installed on the client system itself.
In both cases the browser needs to be configured to use that proxy. As it is no difference from the browser's view, we do not destingush these proxy types.

The drawback when using a proxy is that SSL/TLS (https) is either not supported (i.e. privoxy, 2011), or the trust chain is broken and the browser indicates that with a proper message and a broken "lock" icon.

Standalone Tools

2. Server-side Tools

3. Protocol

Mozilla Firefox 4 Beta

"Do Not Track" Option - Privacy Feature

You can check a “Do Not Track” box in the “Advanced” screen of Firefox’s Options. When this option is selected, a header will be sent signaling to websites that you wish to opt-out of online behavioral tracking. You will not notice any difference in your browsing experience until sites and advertisers start responding to the header.

Micro survey

CW created a micro survey on paper called A Few Questions, to try to gather a few [10] views from other quarters in OWASP [2 participants from the working session, and 8 other leaders], as to the relevance of "personal data protection" within OWASP's mission. The questions (and anonymous answers) were:

Q1: Can OWASP contribute to PCI-DSS compliance initiatives?

A1:

Yes.

Yes of course - we already have by reference to the Top 10.

Yes, we have done so, but to my knowledge we have allowed our relationship with PCI to languish.

Yes.

Unsure, as I'm not fully used to PCI-DSS, but guess 'yes'.

Yes.

Yes.

Yes.

Don't know.

Yes in terms of providing knowledge, training and resources to QSAs. We [OWASP] could also provide info focused on companies who are going to be assessed.

Q2: Can OWASP contribute to fraud detection and prevention?

A2:

Yes.

Yes it would be included in our mission/purpose.

Yes, ***, *** and I were discussing some potential solutions to this.

Yes.

Yes.

Yes, it should at least 'list' possible threats.

Yes.

Yes.

Don't know.

AppSensor seems to be quite useful here.

Q3: Are there application vulnerabilities that can contribute to successful fraud?

A3:

Yes.

Yes of course.

At the risk of being glib, most successful exploitations of vulnerabilities lead to some sort of fraud.